OfficeMax’s Deceased Daughter Mail Blunder and the Limits of Privacy Law

Mike Seay and his wife have been mourning the loss of their teenage daughter, Ashley, for almost one year. Last week, they received an unwelcome reminder of her sudden death in the mail. And it was not an advertisement offering counseling for bereaved parents. It was a flier from the office supply store OfficeMax.

The OfficeMax flier was addressed to Ashley’s father: “Mike Seay, Daughter Killed in Car Crash.” The addressee line had this shocking headline, rather than simply his name. Mr. Seay’s 17-year-old daughter died in a car wreck with her boyfriend last February. And somehow, in a business world where personal data is mined and sold to corporations, Mr. Seay and his wife appear to have become the victims of marketing gone incredibly wrong. In a public statement, OfficeMax said that the mailing “is a result of a mailing list rented through a third-party provider” and offered its apologies to Mr. Seay. A spokeswoman told The New York Times that the company was still gathering information about what had happened.

“Why do they have that?” Mr. Seay said of the mailer with a headline about his daughter’s death. “What do they need that for? How she died, when she died? It’s not really personal, but looking at them, it is. That’s not something they would ever need.” While OfficeMax’s mailer is shocking and caused the family further distress, it is not something that existing privacy laws address, and this is the problem that consumers face: Companies have more and more information about them, and often have information that seems unrelated to the business relationship the companies have with a consumer. Mr. Seay has purchased office supplies at OfficeMax, and accordingly never expected that OfficeMax would keep tabs on whether a family member of his had died.

In this column, I will discuss the growing phenomenon of data aggregation, and the fact that the large-scale collection of data leads to harmful consequences for consumers when companies keep tabs on us in ways that are unrelated to our ordinary commercial transactions.

Data Mining: Blessing or Curse?

The data broker industry is growing daily. Data brokers aggregate information about millions of people and their personal habits, preferences, and traits. Brokers collect more than what we buy or read—and know about our religion, political leanings, hobbies, jobs and more. This practice has faced scrutiny from critics who worry about what is hidden in corporate data lockers.

Retail giant Target reportedly knows how to use its data to predict whether female customers are pregnant. It got into hot water when it sent a pregnancy mailer with discount coupons to a teenage girl—alerting her father to her pregnancy before she had told him (as I discussed in a prior column). The girl had not told Target that she was pregnant, but Target had made an assumption based on her purchasing patterns, and it turned out to be eerily accurate. Gatherers of consumer data also are reportedly selling lists of rape victims, and of AIDS/HIV patients, according to a privacy nonprofit that reported to Congress in December.

OfficeMax appears to be part of this trend. It hired a third-party marketing firm to send mailers, and this third-party firm may have mistakenly inserted the ghastly headline into Mr. Seay’s mailing address. OfficeMax has not identified the company that prepared the mailing list that it used to send the flier The marketing firm may have pulled the death information from public records or news headlines, and kept it on file.

This phenomenon is not always bad or unexpected. In some cases, such as upon the birth of a baby, or the death of a loved one, you expect to get some types of marketing—for diapers and baby food when you are expecting, and for funeral services and other types of estate services when a person has passed away. What was shocking about the OfficeMax blunder was the timing and the context. The Seays did not expect such a company to keep tabs on such information. What would be the reason for the company to do so? Insurers and health care providers know our family history. Retailers should not have the same level of information about topics that many people consider private.

OfficeMax spokeswoman Karen Denning said that the company is still looking into how the note about the Seays’ daughter ended up in the address field of mail from the company. According to her father, Ashley Seay had no credit cards, and was listed on her father’s car insurance when she died. In news reports, he said that he can’t imagine who provided OfficeMax with this personal and sensitive information.

What Can Be Done About Such Mishaps?

At present, very little can be done about such mailing mishaps. This was not an invasion of privacy in the sense that OfficeMax did not reveal a confidential fact about the Seays. The information is likely to be in a public record and, as such, is not a private and sensitive fact.

If a chronically-ill consumer had received a mailer identifying him as a person with a devastating illness—and this information conspicuously was on the front of the envelope—it might have created not only distress, but also a cause of action for the common law claim of invasion of privacy. But when companies trade or use public information, or sell information we have already disclosed to a retailer then that information is no longer private.

What about privacy regulation, or regulation of what data brokers can do in terms of compiling our information? This issue is trickier, for it is hard to come up with bright-line rules for what types of data companies may compile, given the vast amount of public data that does already reveal much about us that, while not private, also is not currently on the front page of the newspaper. More generally, the issue is one of context: It matters who is collecting and using our data, and for what ends.

Congress and the Federal Trade Commission (FTC) are busily looking into the brave new world of data brokers, where so many companies are now sweeping up all kind soft data about us, and keeping it—whether it is relevant to a particular business line or not. These robust profiles end up being used, at times, for purposes that seem irrelevant to the world of commerce.

The debacle in this area comes at a precarious time for data brokers. The FTC, about a year ago, ordered data-brokerage companies to furnish detailed data on their information collection practices so that the FTC could better examine the industry’s overall approach to the collection and use of consumer data.

The White House proposed, in 2012, a new consumer privacy bill of rights, which it has urged Congress to embed in new comprehensive privacy legislation. This “bill of rights” approach would attempt to give consumers a right to seek redress from companies and data brokers. One of the key components of the bill of rights was a respect for context. The Bill of Rights stated that, “[c]onsumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.” A second key principle relates to focused collection and asserts that consumers have a right to reasonable limits on the personal data that companies collect and retain.

These principles seem relevant when one talks about information that a company collects and uses. At Target, for example, perhaps the company should not use information it collects at the point of sale. What about a store’s using the fact that a woman is buying prenatal vitamins to market pregnancy coupons to her? Because this is a sensitive issue, the company should not use information to predict something without the customer’s first disclosing her condition, What if, for example, a woman has miscarried and keeps receiving pregnancy coupons? Or, in the case of a pregnant teen, what if Target tells her dad before she gets a chance to do so herself?

More generally, should Target be in the business of predicting serious health patterns based solely on shopping patterns? The issue of context is also relevant, as the OfficeMax situation illustrates. Companies need to consider what is relevant.

While a context-based approach to privacy and data-collection may not always stop companies from making mistakes, it might lower the risk of harm, and provide us with ways to access our digital data dossiers—and then ask companies to delete, or stop using, information that we find irrelevant to our business relationships. But at present, the Seays can only hope that OfficeMax does not let this happen again and gets to the bottom of the awful experience the Seays had to endure because of the mailer.

Anita Ramasastry is the UW Law Foundation Professor of Law at the University of Washington School of Law in Seattle, where she also directs the graduate program on Sustainable International Development. She is also a member of the Law, Technology and Arts Group at at the Law School. Ramasastry writes on law and technology, consumer and commercial law, and international law and globalization.

reading this article it strikes me that the only sure way to avoid erroneous data dissemination about ourselves is to pay everything by cash and not give identifying information of any kind to the sales person. of course this would have limited benefits when, for example, buying a car, which requires all kinds of connection with legally involved agencies, including insurance companies. but it can limit the amount of data about ourselves that comes to inhabit the cyber world.

All purchases and subsequent sales of personal health records are hidden from patients. Patients are not asked for informed consent or given meaningful notice. IMS Health Holdings sells health data to “5,000 clients,” including the US Government.

Congress and the FTC should also mandate the ability of the consumer to correct the information that is collected and provide an avenue for demanding verification of the data collected. Incorrect data is spawning on its own and when challenged, these data brokers fall back on “it’s public record.”

University of Washington law professor Anita Ramasastry discusses a new company called Shuddle, which bills itself as an Uber-like car service for transporting children from place to place. Ramasastry... more

University of Washington law professor Anita Ramasastry discusses the crypto-currency Bitcoin and how different authorities have come to different conclusions as to whether it is money. Continue... more

University of Washington law professor Anita Ramasastry discusses the growing personal use of unmanned aerial vehicles (colloquially known as drones) by individuals for spying and other nefarious... more

Hewlett Packard (HP) has unveiled a new mobile app that retailers can use to stalk people as they shop, to send them targeted ads and promotions. Called SmartShopper, it was unveiled at the Interop... more

Justia columnist and U. Washington law professor Anita Ramasastry comments on recent headlines that caused a panic in the Bitcoin and cryptocurrency world: The largest Bitcoin exchange, Mt. Gox, was... more

Justia columnist and U.Washington law professor Anita Ramasastry comments on the question whether Bitcoin—a so-called virtual peer-to-peer currency—should be regulated by the U.S. and/or States... more